All of lore.kernel.org
 help / color / mirror / Atom feed
* Leaking path for set_task_comm
@ 2018-09-25 17:27 ` Tong Zhang
  0 siblings, 0 replies; 10+ messages in thread
From: Tong Zhang @ 2018-09-25 17:27 UTC (permalink / raw)
  To: adobriyan, akpm, viro, gorcunov
  Cc: linux-kernel, linux-fsdevel, linux-security-module, wenbo.s

Kernel Version: 4.18.5

Problem Description:

When using prctl(PR_SET_NAME) to set the thread name, it is checked by security_task_prctl.

We discovered a leaking path that can also use method implemented in 
fs/proc/base.c:1526 comm_write(), to do similar thing without asking LSM’s decision.

- Tong


^ permalink raw reply	[flat|nested] 10+ messages in thread
* Leaking path for set_task_comm
@ 2018-09-25 17:27 ` Tong Zhang
  0 siblings, 0 replies; 10+ messages in thread
From: Tong Zhang @ 2018-09-25 17:27 UTC (permalink / raw)
  To: linux-security-module

Kernel Version: 4.18.5

Problem Description:

When using prctl(PR_SET_NAME) to set the thread name, it is checked by security_task_prctl.

We discovered a leaking path that can also use method implemented in 
fs/proc/base.c:1526 comm_write(), to do similar thing without asking LSM?s decision.

- Tong

^ permalink raw reply	[flat|nested] 10+ messages in thread
* Re: Leaking path for set_task_comm
  2018-09-25 17:27 ` Tong Zhang
@ 2018-09-25 18:39   ` Cyrill Gorcunov
  -1 siblings, 0 replies; 10+ messages in thread
From: Cyrill Gorcunov @ 2018-09-25 18:39 UTC (permalink / raw)
  To: Tong Zhang
  Cc: adobriyan, akpm, viro, linux-kernel, linux-fsdevel,
	linux-security-module, wenbo.s

On Tue, Sep 25, 2018 at 01:27:08PM -0400, Tong Zhang wrote:
> Kernel Version: 4.18.5
> 
> Problem Description:
> 
> When using prctl(PR_SET_NAME) to set the thread name, it is checked by security_task_prctl.
> 
> We discovered a leaking path that can also use method implemented in 
> fs/proc/base.c:1526 comm_write(), to do similar thing without asking LSM’s decision.

I don't understand how it is a problem. Could you please explain?
procfs/comm is created with S_IRUGO|S_IWUSR permissions. So
prctl and procfs are simply different interfaces.

^ permalink raw reply	[flat|nested] 10+ messages in thread
* Leaking path for set_task_comm
@ 2018-09-25 18:39   ` Cyrill Gorcunov
  0 siblings, 0 replies; 10+ messages in thread
From: Cyrill Gorcunov @ 2018-09-25 18:39 UTC (permalink / raw)
  To: linux-security-module

On Tue, Sep 25, 2018 at 01:27:08PM -0400, Tong Zhang wrote:
> Kernel Version: 4.18.5
> 
> Problem Description:
> 
> When using prctl(PR_SET_NAME) to set the thread name, it is checked by security_task_prctl.
> 
> We discovered a leaking path that can also use method implemented in 
> fs/proc/base.c:1526 comm_write(), to do similar thing without asking LSM?s decision.

I don't understand how it is a problem. Could you please explain?
procfs/comm is created with S_IRUGO|S_IWUSR permissions. So
prctl and procfs are simply different interfaces.

^ permalink raw reply	[flat|nested] 10+ messages in thread
* Re: Leaking path for set_task_comm
  2018-09-25 18:39   ` Cyrill Gorcunov
@ 2018-09-26  0:44     ` TongZhang
  -1 siblings, 0 replies; 10+ messages in thread
From: TongZhang @ 2018-09-26  0:44 UTC (permalink / raw)
  To: Cyrill Gorcunov
  Cc: adobriyan, akpm, viro, LKML, linux-fsdevel,
	linux-security-module, Wenbo Shen

Yes, this is exactly what I am saying.
A process can change its own name using prctl or /proc/self/comm.
prctl is protected by security_task_prctl, whereas /proc/self/comm is not protected by this LSM hook.

A system admin may expect to use security_task_prctl to block all attempt to change process name, however, it can still change name using /proc/self/comm.

> On Sep 25, 2018, at 2:39 PM, Cyrill Gorcunov <gorcunov@gmail.com> wrote:
> 
> On Tue, Sep 25, 2018 at 01:27:08PM -0400, Tong Zhang wrote:
>> Kernel Version: 4.18.5
>> 
>> Problem Description:
>> 
>> When using prctl(PR_SET_NAME) to set the thread name, it is checked by security_task_prctl.
>> 
>> We discovered a leaking path that can also use method implemented in 
>> fs/proc/base.c:1526 comm_write(), to do similar thing without asking LSM’s decision.
> 
> I don't understand how it is a problem. Could you please explain?
> procfs/comm is created with S_IRUGO|S_IWUSR permissions. So
> prctl and procfs are simply different interfaces.


^ permalink raw reply	[flat|nested] 10+ messages in thread
* Leaking path for set_task_comm
@ 2018-09-26  0:44     ` TongZhang
  0 siblings, 0 replies; 10+ messages in thread
From: TongZhang @ 2018-09-26  0:44 UTC (permalink / raw)
  To: linux-security-module

Yes, this is exactly what I am saying.
A process can change its own name using prctl or /proc/self/comm.
prctl is protected by security_task_prctl, whereas /proc/self/comm is not protected by this LSM hook.

A system admin may expect to use security_task_prctl to block all attempt to change process name, however, it can still change name using /proc/self/comm.

> On Sep 25, 2018, at 2:39 PM, Cyrill Gorcunov <gorcunov@gmail.com> wrote:
> 
> On Tue, Sep 25, 2018 at 01:27:08PM -0400, Tong Zhang wrote:
>> Kernel Version: 4.18.5
>> 
>> Problem Description:
>> 
>> When using prctl(PR_SET_NAME) to set the thread name, it is checked by security_task_prctl.
>> 
>> We discovered a leaking path that can also use method implemented in 
>> fs/proc/base.c:1526 comm_write(), to do similar thing without asking LSM?s decision.
> 
> I don't understand how it is a problem. Could you please explain?
> procfs/comm is created with S_IRUGO|S_IWUSR permissions. So
> prctl and procfs are simply different interfaces.

^ permalink raw reply	[flat|nested] 10+ messages in thread
* Re: Leaking path for set_task_comm
  2018-09-26  0:44     ` TongZhang
@ 2018-09-26  3:16       ` Theodore Y. Ts'o
  -1 siblings, 0 replies; 10+ messages in thread
From: Theodore Y. Ts'o @ 2018-09-26  3:16 UTC (permalink / raw)
  To: TongZhang
  Cc: Cyrill Gorcunov, adobriyan, akpm, viro, LKML, linux-fsdevel,
	linux-security-module, Wenbo Shen

On Tue, Sep 25, 2018 at 08:44:39PM -0400, TongZhang wrote:
> Yes, this is exactly what I am saying.
> A process can change its own name using prctl or /proc/self/comm.
> prctl is protected by security_task_prctl, whereas /proc/self/comm is not protected by this LSM hook.
> 
> A system admin may expect to use security_task_prctl to block all attempt to change process name, however, it can still change name using /proc/self/comm.

None of the in-tree LSM's try to affect PR_SET_NAME.  Looking at
security/commoncap.c, it's clear what is of interest is to checking
things relating to security sensitive things relating to capabilities, such as:

       PR_SET_SECUREBITS
       PR_CAPBSET_*
       PR_*_SECUREBITS
       PR_*_KEEPCAPS
       PR_CAP_AMBIENT

Trying to depend on task name for anything security sensitive is at
_really_ bad idea, so it seems unlikely that a LSM would want to
protect the process name.  (And if they did, the first thing I would
ask is "Why?  What are you trying to do?  Do you realize how many
*other* ways the process name can be spoofed or otherwise controlled
by a potentially malicious user?")

					- Ted

^ permalink raw reply	[flat|nested] 10+ messages in thread
* Leaking path for set_task_comm
@ 2018-09-26  3:16       ` Theodore Y. Ts'o
  0 siblings, 0 replies; 10+ messages in thread
From: Theodore Y. Ts'o @ 2018-09-26  3:16 UTC (permalink / raw)
  To: linux-security-module

On Tue, Sep 25, 2018 at 08:44:39PM -0400, TongZhang wrote:
> Yes, this is exactly what I am saying.
> A process can change its own name using prctl or /proc/self/comm.
> prctl is protected by security_task_prctl, whereas /proc/self/comm is not protected by this LSM hook.
> 
> A system admin may expect to use security_task_prctl to block all attempt to change process name, however, it can still change name using /proc/self/comm.

None of the in-tree LSM's try to affect PR_SET_NAME.  Looking at
security/commoncap.c, it's clear what is of interest is to checking
things relating to security sensitive things relating to capabilities, such as:

       PR_SET_SECUREBITS
       PR_CAPBSET_*
       PR_*_SECUREBITS
       PR_*_KEEPCAPS
       PR_CAP_AMBIENT

Trying to depend on task name for anything security sensitive is at
_really_ bad idea, so it seems unlikely that a LSM would want to
protect the process name.  (And if they did, the first thing I would
ask is "Why?  What are you trying to do?  Do you realize how many
*other* ways the process name can be spoofed or otherwise controlled
by a potentially malicious user?")

					- Ted

^ permalink raw reply	[flat|nested] 10+ messages in thread
* Re: Leaking path for set_task_comm
  2018-09-26  3:16       ` Theodore Y. Ts'o
@ 2018-09-26 22:39         ` Alan Cox
  -1 siblings, 0 replies; 10+ messages in thread
From: Alan Cox @ 2018-09-26 22:39 UTC (permalink / raw)
  To: Theodore Y. Ts'o; +Cc: TongZhang, Cyrill Gorcunov, adobriyan, akpm, viro


> Trying to depend on task name for anything security sensitive is at
> _really_ bad idea, so it seems unlikely that a LSM would want to
> protect the process name.  (And if they did, the first thing I would
> ask is "Why?  What are you trying to do?  Do you realize how many
> *other* ways the process name can be spoofed or otherwise controlled
> by a potentially malicious user?")

Two processes that should not be able to otherwise communicate can keep
changing their name to a chunk of data, waiting for an ack flag name
change back.

Alan

^ permalink raw reply	[flat|nested] 10+ messages in thread
* Leaking path for set_task_comm
@ 2018-09-26 22:39         ` Alan Cox
  0 siblings, 0 replies; 10+ messages in thread
From: Alan Cox @ 2018-09-26 22:39 UTC (permalink / raw)
  To: linux-security-module


> Trying to depend on task name for anything security sensitive is at
> _really_ bad idea, so it seems unlikely that a LSM would want to
> protect the process name.  (And if they did, the first thing I would
> ask is "Why?  What are you trying to do?  Do you realize how many
> *other* ways the process name can be spoofed or otherwise controlled
> by a potentially malicious user?")

Two processes that should not be able to otherwise communicate can keep
changing their name to a chunk of data, waiting for an ack flag name
change back.

Alan

^ permalink raw reply	[flat|nested] 10+ messages in thread
end of thread, other threads:[~2018-09-28 14:05 UTC | newest]

Thread overview: 10+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-09-25 17:27 Leaking path for set_task_comm Tong Zhang
2018-09-25 17:27 ` Tong Zhang
2018-09-25 18:39 ` Cyrill Gorcunov
2018-09-25 18:39   ` Cyrill Gorcunov
2018-09-26  0:44   ` TongZhang
2018-09-26  0:44     ` TongZhang
2018-09-26  3:16     ` Theodore Y. Ts'o
2018-09-26  3:16       ` Theodore Y. Ts'o
2018-09-26 22:39       ` Alan Cox
2018-09-26 22:39         ` Alan Cox

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.